Practical Risk Assessment Tools

In a previous blog post we cataloged a number of risk management methodologies that we’ve seen a number of organizations employ in an effort to manage the security of their information systems. A number of people have asked us though, what tools best assist people implementing those models? Are there tools available to make the process easier or do companies have to develop their own tools to make one of these methods a reality?

Unfortunately the answer is that most of the companies we’ve worked with have chosen to develop their own risk management tools. Though to be fair the majority of companies we meet choose to manage their efforts through very simple tools such as Microsoft Excel spreadsheets. Whole there’s nothing wrong with that, the questions inspired us to consider following up to the previous post with a list of some of the risk assessment toolkits we’ve seen people use.

In the open source world there are a few choices, and more and more seem to be springing up all the time as the need for visual risk assessment tools increase. Some of the more popular tools we’ve encountered are:

  • Binary Risk Assessment Tools
  • Babel Enterprise (free & commercial)
  • Cyber Security Evaluation Tool (DHS)
  • OSSIM SIEM (free & commercial)
  • Practical Threat Analysis (PTA) Professional

But this doesn’t mean that there aren’t commercial tools that are also available to purchase to jumpstart this process. Most tools in this commercial space are known as Governance, Risk, and Compliance (GRC) tools and Gartner even publishes a Magic Quadrant on the subject. Some of the more popular commercial tools are:

  • OpenPages Enterprise GRC
  • Thomson Reuters Paisley
  • Bwise GRC
  • Oracle Enterprise GRC Manager
  • MetricStream
  • Methodware ERA
  • Cura Enterprise
  • Archer Technologies SmartSuite
  • Protiviti Governance Portal
  • Mega Suite
  • Aline Operational Suite
  • CCH TeamMate, Sword, & Axentis
  • IDS Scheer ARIS

Hopefully this list gets you thinking and gives you a good place to get started as you consider which tool is the best option for you. Happy hunting!

Formal Risk Assessment Methods

Many organization’s we have been speaking with lately have begun the process of risk management in an effort to formalize information assurance programs. For many organizations this is a new step and involves uncertainty. One of the biggest questions we get when talking with companies is: what risk assessment models are there to choose from?

Certainly the catalog of potential methods is long and every practitioner we know seems to have a preference for a particular risk management methodology. Certainly we don’t want to start any wars over this, but we do want people to understand what some of their options are. So we’ve been compiling a list of some of the more popular methodologies that we’ve seen companies implementing.

In no particular order, here are some of the more popular methods we’ve seen companies using:

  1. Single Loss Expectancy (SLE) / Annualized Loss Expectancy (ALE)
  2. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
  3. National Institute of Standards & Technology (NIST) Special Publications 800 Series
  4. ISO 27005 Risk Management Methodology
  5. Factor Analysis of Information Risk (FAIR)
  6. Microsoft STRIDE & DREAD
  7. Guide to the Assessment of IT Risk (GAIT)
  8. Failure Modes and Effects Analysis (FMEA)
  9. Failure Modes, Effects and Criticality Analysis (FMECA)
  10. Cause Consequence Analysis (CCA)
  11. Modeling & Analysis of Safety and Risk in Complex Systems (MASR)
  12. Open Governance, Risk and Compliance Maturity Management Methodology (OGRCM3)
  13. Open Risk Model Repository (ORIMOR)

Does this mean that all the companies we deal with choose one of these methods – of course not! Most companies we meet choose a personalized method that customizes aspects from multiple models in order to create a model that works best for them. Of course there’s nothing wrong with that either. We just hope that by understanding some of your choices that you’ll be able to make a better decision which model is best for you.

The best risk management model will always be the one that helps you and your organization to achieve your goals.